Having a solid cybersecurity defense plan is arguably just as important as having a robust offense. Case in point, a recent Experian report found that nearly two-thirds (66%) of the data protection and privacy training professionals that were surveyed labeled their employees as the weakest link when attempting to safeguard their organization from cyber threats. Even though tedious cybersecurity tasks are becoming automated, it’s still best to provide online security awareness training for employees to prevent future issues for your company’s security. Being prepared when that time comes is paramount to the continued success of your organization and requires that an ironclad training program be conceptualized and implemented before threats become breaches. With this in mind, let’s review the importance of cybersecurity awareness training and how you can build an organization that is compliant and focused on defending against cyber threats.
Cybersecurity is a topic that is often dismissed by organizations who feel that the efforts (and budget) would be best left to elsewhere. People who feel this way about cybersecurity most likely get their feelings from the historical trend of not having experienced a breach yet. These organizations (and their employees) think, ‘Who wants to attack us?’ Opportunists; that’s who. That’s why having a flexible, yet durable cybersecurity strategy in place for your organization is incredibly important. Think of it like a spare tire for your vehicle. Even if you’ve never had a flat tire, having a spare in your trunk gives you peace of mind to keep your vehicle (business) running no matter how big the nail you run over.
The key protecting your empire is developing and maintaining a strong, well-rehearsed incident response plan that can be easily adhered to by all employees. This type of plan calls for the formal onboarding and training of all employees (not just ones in IT) in a way that ensures cybersecurity is a way of life in their daily job responsibilities rather than merely an afterthought to their role. Therefore, compliance and vulnerability are key topics of discussion to understand before creating a cybersecurity awareness plan.
Whether your business is trying to become PCI DSS compliant or gain some other certification, they’ll need to practice compliance from the ground since certain cybersecurity awareness training is often mandatory. Having a compliant business is key to establishing trust with your partners and vendors, just because you’re compliant doesn’t mean you’re 100% secure. For instance, if you were to be attacked tomorrow, your compliance will help you reduce the damage in the public eye or in a court of law, thereby lowering the associated security risks for stakeholders, vendors and consumers.
The fact remains that 74% of U.S. companies from a recent Thales global survey felt that adhering to compliance requirements is a ‘very’ or ‘extremely’ effective way to keep sensitive data secure. This shows that even if compliance is not a mandatory requirement for your organization, it still allows you to accomplish your goal of cybersecurity awareness. Compliance enables both short-term change and long-term improvement through engaging and training employees to remain vigilant towards cyber threats. Through understanding the problems with their current security behavior, employees can improve their habits and help form a strong security perimeter for their organization.
After the dust settled on 2017, Ponemon Institute found that 77% of all compromised attacks were fileless. These fileless infections can be executed via the system’s memory; residing and persisting in a system’s registry until found and remediated. These targeted attacks seek out vulnerabilities via the use of malware, phishing, and other malicious exploits to infiltrate an organization’s network infrastructure and weed out high value data. Although fileless infections might not be attributed to a bulk of the recent data breaches, the development and large-scale distribution of exploit kits has made fileless malware attacks much more common. Making your employees more aware of the current and future cyber threats that can bring companies of all sizes crumbling to the ground is key.
The key point to distinguish is that attackers are constantly changing their tactics and keeping your defense in stride with their offense will make for a sustainable strategy. Hackers are no longer hyper-focused on servers and workstations. Instead, they have shifted their attention to directly targeting mobile applications and users to breach networks and compromise data (and for good reason). According to Pew Research, 77% of Americans now own a smartphone, with nearly 75% owning a desktop or laptop computer, and roughly 50% owning tablets. With 59% of companies allowing their employees to use their own devices at work and another 13% planning to in the near future, hackers have their pick of the litter when it comes to digital entry points to tap into network vulnerabilities. This is why the inclusion of cybersecurity as part of mainstream education is critical to nurture the next generation of tech-savvy adults in the workforce.
In 2004, October was deemed National Cyber Security Awareness Month (NCSAM) thanks to an iinitiative promoted by the National Cyber Security Division (NCSD) within the Department of Homeland Security and the National Cyber Security Alliance (NCSA). Although 90% of organizations polled in a recent CA Technologies survey felt vulnerable to malicious or accidental insider attacks, not much has been done to address those feelings. Overall, 45% of employees receive no cybersecurity training from their employer which leaves them with inadequate knowledge of how to act during a cyber-attack. The process of preparing your workspace for the possibility of a cyber-attack takes training that outlines:
- How to spot a cyber-attack
- Who to turn to for remediation
- Why they’re being targeted in the first place
The cybersecurity skills gap continues to grow with 69% of businesses saying they’re under-resourced because they can’t find enough qualified IT staff to fill expanding security departments. Circumventing this widespread issue requires the implementation of a comprehensive cybersecurity awareness training plan that helps all employees (current and new) answer the How, Who, and Why topics that were bullet pointed above. Training allows your company to employ a security-minded staff that can be an indispensable tool to become your first line of cybersecurity defense.
Cybersecurity Awareness Training Methodology
The opportunistic nature of threat actors calls for organizations to act proactively in reducing their overall security risks. Many of the traditional cybersecurity awareness training programs call for an exponential degree of statistics, scenarios, and information that can become overwhelming for even the most tech-savvy employees. Giving your team the right amount of information in an easy to digest format is important to allow them to adequately retain said information in the short and long-term.
Consider using strategies based on interesting topics such as penetration and vulnerability testing that make your training sessions more engaging. No matter how you plan to structure your company’s cybersecurity awareness plan you must make sure that your training sessions never cease and that everyone is learning the same information. Settling for training employees once per year by some sort of topic checklist won’t do the trick to combat the ever-evolving technology landscape. Focusing on proactive risk reduction instead of passive knowledge accumulation that comes when a C-suite executive mass forwards their employees a link to the latest cybersecurity industry report is always best practice. Attackers often decide against hacking a network once they find out that the organization has a solid defense and that their effort is not worth the risk.
One of the best ways to engage users in solving problems while also motivating through the introduction of competition and reward elements is gamification. This methodology has been utilized in many organizations for training employees on topics that they may not otherwise be intrigued to learn about. 79% of participants in a recent study by Pulse Learning said they would be more productive and motivated if their learning environment was more ‘game-like.’ Learning via gamification has been proven to improve motivation as well as increase engagement, performance feedback, and productivity.
Infusing your cybersecurity awareness training with gamification methodologies can altogether change the way your organization thinks about cybersecurity. Depending on the way that your gamification methodologies are structured, it can also improve collaboration and communication within your organization. If gamified teachings call for more individual accomplishments, it can allow employees to work more autonomously in the future. If these classes are structured to incorporate more team-based instruction, then the work culture may see some supplemental improvement.
Organizations looking to improve their cybersecurity awareness skills must understand cyber theory first. A 2017 report by Cybersecurity Ventures predicts that the cybersecurity awareness training market will grow ten-fold from $1 billion in 2014 to $10 billion by 2027. The future market for cybersecurity awareness training may see individuals signing up for their own training to get ahead of the job market and try to stand out from the sea of applicants. Until we cross that bridge as a culture, we must first build a foundation in our organizations. This is done through using the top employee training techniques and putting them into practice in the classroom (digital or physical).
The most common culprit of insider threats to an organization was found to be ‘accidental exposure by employees’ via a 2018 Crowd Research Partners report. Phishing attempts, weak/reused passwords, and bad password sharing practices rounded out the top issues that regularly plagued organizations from a human error standpoint. This shows that no matter how much technology that is used to make a network environment safe, there will ultimately have human error that leads to the infiltration of viruses.
It’s true that your employees are your first line of defense, but unfortunately, without the proper training, they also tend to be the weakest link in your network security. The process of effectively influencing positive cyber behavior for your employees calls for implementing these best practices for your cybersecurity awareness training:
Step 1: Create opportunities for knowledgeable employees to mentor employees on the effective identification of behaviors that create existing cybersecurity problems.
Step 2: Create opportunities for employees to learn solutions that help develop long-term cybersecurity knowledge retention.
Step 3: Quiz employees on this knowledge retention after a certain number of months to ensure that the learnings have stuck.
Cybersecurity awareness training plan shouldn’t be a plug and play model that can be transferred from company to company. Instead, it should be a program that is unique to the organization’s goals for cybersecurity risk management. Through using a more holistic approach to cybersecurity awareness, you can transform your company culture to be more security-centric, thus influencing the long-term positive behavior of individual employees. As employees fully appreciate the security risks associated with mismanaging their passwords and letting threat actors wreak havoc on their network, their exposure to said threats becomes measurably reduced.
The ongoing process of developing a fully aware cybersecurity driven culture and program is done via understanding your organization’s strengths and weaknesses. This is done through periodic (more frequently than once a year) audits of cybersecurity training to focus on where improvements can (and should) be made in future training sessions. Through the creation of a realistic plan that incorporates cybersecurity best practices into your goals, you can help promote an active cyber security culture.
Keeping your employees informed on how to identify and respond to new risks on trending cyber topics as they develop is key. Between mandated training sessions, it’s best for executives to configure a security email for employees that provides the latest security scams and methods that hackers use to get past firewalls. It’s also best for executives to put together a supplemental security email with a few slides every month or two that explain the importance and value of cybersecurity awareness to new employees and staff members. Once your culture becomes more comfortable with these briefings and trainings, it will become second nature to autonomously seek out cybersecurity solutions and training outside of the organization to further their understanding of the topics that will keep their organization safe.